apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
  namespace: testns
spec:
  ephemeralContainers:
    - name: nginx
      image: nginx
      securityContext:
        capabilities:
          add: ["disallowedcapability"]
      resources:
        limits:
          cpu: "100m"
          memory: "30Mi"
